Shadow Defender bypassed by TDL rootkits???

Hi I came across a thread on wilders about newer malware that seems to be able to penetrate the biggest players on the LV market.

I wouldn't be surprised if newer specific malware can bypass light virtualisation (system containment). I don't know of any and I certainly don't have any samples though.

What's more important is that Shadow Defender appears to be an abandoned product until Tony gets back to us (if he ever does):
http://www.shadowdefender.com/phpbb/viewtopic.php?f=2&t=330

Furthermore, I think patrick makes an extremely important point here (I bold the important parts):

...I think some users experienced problems in various versions (including recent) with corrupted files on re-boot and missing permissions, in my own case some of my Sygate Personal Firewall settings were lost on reboot (in more than one version). (Nero registration was lost at times in earlier versions)

The fact is, those users across other forums who always say "I've never had any problems with Shadow Defender etc", are probably not looking at their configurations etc carefully enough. I've certainly experienced what patrick describes above, and I know noorismail has too.

However, I think currently, Shadow Defender is probably quite a robust layer of protection against malware. My philosophy for "100%" computer security is combining default-deny anti-execution (eg. SRP/AppLocker, Faronics Anti-executable 3, well configured classical HIPS etc.) with containment (eg. Sandboxie, Shadow Defender, Returnil etc.).

However, given the above, I have stopped using light virtualisation technology. The concept is clever, but I personally feel that the technology/programming itself is intrinsically unstable. The same goes for rollback software like EAZ-FIX and Comodo Time Machine. There might be a reason why Windows' System Restore is so pathetic - perhaps Microsoft understand how unstable things can get if one goes too far.

In saying that, I hope Tony comes back and continues to develop Shadow Defender.

ssj100 wrote:
In saying that, I hope Tony comes back and continues to develop Shadow Defender.

+1

I wish him all the best, and hope he's ok.

If things unfortuneately playotu that SD is not being developed anymore, what product would you switch to and why?
Since you mentioned file corruption etc, does SD cause increasinf file fragmentation on disk as time goes on?

Rico wrote:If things unfortuneately playotu that SD is not being developed anymore, what product would you switch to and why?
Since you mentioned file corruption etc, does SD cause increasinf file fragmentation on disk as time goes on?

If I was still using this type of technology, I would be very unsure as to which product I would switch to. I suppose Returnil Free would be a possibility.

I don't think it's so much file corruption, but more lost or changed settings in certain programs. I remember being in Shadow Mode and browsing with Firefox (I did not change any Firefox settings). Then I rebooted and my Firefox browser had different settings (eg. Bookmarks toolbar appeared when I always have it disabled and not showing). I remember feeling extremely disappointed in Shadow Defender at that point, as I felt it just could not be reliable if it behaved like this. In other words, I rarely (in the last few years, never) get infected by malware, and Shadow Defender was effectively acting as a malware for me!

Anyway, I couldn't reproduce the above issue consistently (I think I've come across it about 3-4 times), which gave me even more doubt of Shadow Defender's reliability/stability/safety. Perhaps I experienced issues because I had Sandboxie installed with it, who knows. As I have warned repeatedly across many forums including this one, installing more than one security program which hits the kernel will increase your risk of conflict. The problem is that we don't really know how high/low this risk is.

I have had many of these little "one-off" bugs,such as folder setting changing from thumbnail view to icon,my "Toggle Java Script" button,in Firefox, persisting in a setting after reboot in ShadowMode,,little things you cant reproduce,that still add up to a bad feeling.

If ShadowDefender is abandoned,I will stick with it for awhile and reformat,so I can start fresh,and use LUA/SRP and Sandboxie.

Probably nothing else.

noor

Yes I had settings changes on Avast and Malwarbytes where I had asked them to connect to website automatically for update suddenly had popups asking again after re-boot from Shadow Defender and other things like that that I found unnerving. Lost settings and registrations. Software needed re-registering occasionally.
As you say Noorismail, this did not happen consistantly or after every re-boot but just seemed at random and in early versions of Shadow Defender Nero re-set itself to a pre-registered state. (I was not the only one that had that) Tony accepted it was happening.

Plus,with a small user base,and the transitory nature of the "bugs",
It must be very hard to fix them.

I say small user base,Patrick,do you know if ShadowDefender is widely used in China?

By the way, it seems the rootkit bypassed Returnil, Wondershare Time Freeze (no surprise I guess) and Comodo Time Machine also. It would be interesting to know if it can bypass Rollback Rx/EAZ-FIX.

I'm currently trying to get hold of the sample(s) so I can do some testing.

I got the impression somehow that it was better known in China but just gleaned bits from forums
Chinese forum translated

noorismail wrote:Plus,with a small user base,and the transitory nature of the "bugs",
It must be very hard to fix them.

I say small user base,Patrick,do you know if ShadowDefender is widely used in China?

Hopefully shadowdefender is only in a temporary developing hiatus; so noor would you ever consider going back to returnil or not?
If not then why? What are the main reasons that made sd better than returnil(free) ?-- cuz I hate subscriptionware

Hi Rico.
Yes,I really preferred the Returnil Premium 2008 version over ShadowDefender.

The problem with the free version,for me,is there is no commit to the real disk functionality.

I just did not like Returnil 2010 version at all. The added Av component was a drag,(literally and figuratively!!)

The 2008 version, on the other hand,had a simple,anti-executable,set to off by default,that once I enabled ,I loved. It worked in and out of "Shadow Mode".

Returnil Premium,or "HomeLux",is as you said,subscription ware,and rather expensive,at that.

The thing is,they run so many promotions a person could run the paid version for years,with out paying up if they keep their eyes open,and check the forums.

I still had two months on my one year gift subscription to Returnil 2008,when I picked a full year from their Facebook promotion for Returnil 2010!!


They say Returnil has a "labs" version,that is more sleek,and similar to the 2008 version.

noor

Back on topic, I've been struggling to test various TDL/TDSS rootkits in my VM with VirtualBox. My testing configuration is as follows:

1. Host system: Windows XP Pro SP3, 32-bit (fully patched)
2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009)

After running the rootkits (including the "dogma.exe" one) the Guest system appears to restart spontaneously (crash?). After waiting a couple of minutes, I run Kaspersky's anti-rootkit tool ( http://support.kaspersky.com/downloads/utils/tdsskiller.zip ) and nothing is found. I reboot the system and again wait a couple of minutes. Then I re-run the anti-rootkit tool and again nothing is found.

I've tested the above with at least 5 different TDL/TDSS rootkits and get the same result. After reading the web, it seems no one has used exactly the same configuration as me. Most people seem to be using VirtualPC to do their testing (instead of VirtualBox).

ssj100 wrote:2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009...

A somewhat educated guess...

I believe the XP kernel has been updated at least twice since September 2009. Any given TDL rootkit sample is coded to work with a certain OS kernel version. The BSODs you see are probably the result of mismatched sample and kernel versions. A good example of this mismatch crash is what happened after February 2010's Patch Tuesday. MS updated the kernel and, as a result, systems with existing TDL infections generally would go into a startup BSOD loop. Some would BSOD later on after logging in. MS had to pull the update. TDL's developers quickly released a version compatible with the new kernel.

When I test TDL samples using VMware, I go with the latest TDL version on a fully patched XP SP3.

Thanks for the tip nick s. I'll try patching the VM and see how it plays. I'm not sure if it will work though, as I read somewhere that people have used unpatched OS's for these tests (although I don't know how unpatched).

ssj100 wrote:Thanks for the tip nick s. I'll try patching the VM and see how it plays.

That's the first thing I would try. You can always get the latest TDL builds at KernelMode.info.

nick s wrote:

ssj100 wrote:Thanks for the tip nick s. I'll try patching the VM and see how it plays.

That's the first thing I would try. You can always get the latest TDL builds at KernelMode.info.

Didn't make any difference I'm afraid.

Okay, it seems these rootkits are probably VirtualBox aware. Pity.

Sturm und Dreck with ShadowDefender ( Light Virtualization).

http://www.wilderssecurity.com/showthread.php?t=276210

Much of it seeming to confirm ssj100's testing in virtual box.
(aware,wont run)
Some of it "faith-based" for the moment,feeding my
incipient fanboitis.

This is exciting as the BoClean battle of sainted memory.
Only this time,I have a horse in the running!!

noor

Yes, it appears that Shadow Defender is the only program of its type that protects the system against these rootkits. Just goes to show that single developer software is the best haha.

The biggest surprise is that EAZ-FIX/Rollback Rx and Comodo Time Machine fail. I'd bet the EAZ-FIX/Rollback Rx forums (if one exists) will be full of "patch this ASAP!" cries.

The Comodo Time Machine forum certainly is alive and kicking:
https://forums.comodo.com/news-announcements-feedback-ctm/does-ctm-protect-against-tdsstdl-rootkits-t58723.0.html

It's also interesting to see Coldmoon (Returnil associate) make comment. His arguments appear (not surprisingly) very biased and watered down (in an attempt) to grey out the FACT that Returnil is BYPASSED well and truly. I wouldn't be surprised if he's searching for Tony to ask him how the heck Shadow Defender works haha. Coldmoon's argument appears to be that Returnil's light system virtualisation component cannot be relied upon as the only layer of security etc etc.

Really I am surprised that Returnil2010 failed with all the added bells and whistles.

And ShadowDefender passed,just no-one really can say how!

I do thank Returnil is going toward a suite paradigm.

Maybe they preceive some upper limit with what can be done with just
light virtualization.

Or, maybe they had just rather bolt more stuff on, than refine
the base tech.

ShadowDefender seems to certainly have done more with less,for the moment.

noor

I noticed this on Wilders post 66 Leach

Shadow Defender 1.1.0.3.26 bypassed but not 1.1.0.325

patrick wrote:I noticed this on Wilders post 66 Leach

Shadow Defender 1.1.0.3.26 bypassed but not 1.1.0.325

That post confused the heck out of me (from a tester's perspective haha). It sounds like he's getting the rootkit to work in VirtualBox (when I had confirmation from another tester that it doesn't) but that the rootkit behaves strangely etc.

Anyway, interesting that 1.1.0.326 is bypassed but not 1.1.0.325. That is just bizarre. I wonder if the test has been repeated? I'd like to see it being repeated about 10 times to confirm that Shadow Defender is giving consistent results (as we know, Shadow Defender is known to give some rather inconsistent results).

It is confusing. try post 54.

Differences in XP host/guest editions of XP effecting the test.

have to wonder about 1.1.0.323.

noor

Post 54 confuses me even more haha. However, I think he is still saying that with the following configuration, the rootkits can install and infect in VirtualBox:

1. Host system: Windows XP Pro SP3, 32-bit (fully patched)
2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009)

However, this guy agrees with me and says he has to use VPC to get the rootkit to work:
https://forums.comodo.com/news-announcements-feedback-ctm/does-ctm-protect-against-tdsstdl-rootkits-t58723.0.html;msg411973#msg411973

It's same as i had experienced, i think it's Vbox-aware.
try again with Virtual PC.

I see print spooler service is mentioned in post 69 of the Wilders thread,discussed.

I wonder if this is an assumption from the last incident,or if it is implicated in these problems as well?

Surely the new malware would not try to exploit the same point?